Let me try to be more direct.
The interesting policy document here is RFC 3205, section 4:
Note that the convention of appending an "s" to the URL scheme to
mean "use TLS or SSL" (as in "http:" vs "https:") is nonstandard and
of limited value. For most applications, a single "use TLS or SSL"
bit is not sufficient to adequately convey the information that a
client needs to authenticate itself to a server, even if it has the
proper credentials. For instance, in order to ensure that adequate
security is provided with TLS an application may need to be
configured with a list of acceptable ciphersuites, or with the client
certificate to be used to authenticate to a particular server. When
it is necessary to specify authentication or other connection setup
information in a URL these should be communicated in URL parameters,
rather than in the URL prefix.
Why is httpsy different?
Larry
--
http://larry.masinter.net